A bug in the wpa2 protocol was found: https://www.krackattacks.com/
It looks like for other Linux (and android), wpa_supplicant can be changed to fix this bug, but it looks like something else does the WPA2 (is it handled within ICd2 or within the driver?)

Are w stuck without a patch?

Fortunately if you run https over WPA2 you'll still be fine, but I think I need a new set of certificates...

you can use wpa_supplicant on N900 (if you compile fixed version) just fine. However there are a few caveats in connection with how N900 handles connections and notifying applications of the availability of a connection.

Long story short: you need to stop wlancond so that wpa_supplicant can access the wlan0 interface. then you also need to use a 'dummy' network connection on the connection selection ui.